Microsoft Passport
Windows 10 has created a very powerful approach toward user privacy. Most of this comes through its implementation of the Microsoft Passport. Instead of passwords, two-factor authentication is used consisting of the device and a PIN (or a biometric courtesy of Windows Hello).
The Passport is used to log into a Microsoft Account, an Azure Active Directory Account, a regular Active Directory Account, or non-MS services that can support FIDO (Fast ID Online) authentication. During enrollment, an initial two-step verification process is done after which Passport is successfully set up. The user will then set a "gesture" (the biometric, the PIN, or a remote device such as a smart card), and this will be used to verify identity. A person with a verified Passport can then access the protected services and resources.
Passport relies on key pair credentials. The private key is generated using the gesture, which is then linked to a certificate. The private key is hardware attested when the concerned device has a Trusted Platform Module Chip. When neither TPM1.2 nor TPM2.0 is available in the device, then software will be needed to generate the key. This key will never leave the device, adding to the security.
On the other hand, the private key will be registered through the Azure Active Directory or Windows Server Active Directory. IDPs (Identity Providers) validate the user through mapping the public key to its private counterpart, providing the log in information through OTPs (One-Time Passwords), Phonefactors, or various notification mechanisms.
Benefits of Passport
The greatest benefit of Passport can be realized in an enterprise setting, where an employee can simply provide the needed credentials to set up Passport. After that, all it takes to access the enterprise resources will be simple gestures.
Passport also helps protect user identities as well as their credentials. Since passwords are no longer used, phishing and brute force attacks are rendered useless. Server breaches are also prevented, since Passport credentials are asymmetric key pairs. This configuration helps prevent those replay attacks when keys are generated in isolated environments of the TPM (Trusted Platform Module).
What do I need to Deploy Microsoft Passprrt?
For individual users, the only requirement will be a computer running Windows 10. However, for the enterprise level, the company needs to have an Azure Subscription (plus AAD connect if working in a hybrid environment). If only working with resources on-premises, then the company may also do with Windows Server 10 AD (Active Directory) as well as AD FS Server 10.
For those looking to deploy Passport for enterprise purposes, you may take a look at this detailed view of needed resources. The lines in bold determine the Passport mode, you will be running.
Key-based authentication
For Azure AD:
- Azure AD Subscription
For On-Premises AD:
- AD FS (Active Directory Federation Service), first released in Windows Server 2016 Technical Preview
- A few on-site domain controllers for Windows Server 2016 Technical Preview
- Microsoft System Center 2012 R2 Configuration Manager SP2
For AD/Azure AD hybrid:
- An Azure AD subscription and AD Connect
- A few on-site domain controllers for Windows Server 2016 Technical Preview
- Config Manager SP2
Certificate-based Authentication
For Azure AD:
- Azure AD subscription
- Non-Microsoft MDM (Mobile Device Management) solution, or Intune
- PKI Infrastructure
For On-Premises AD:
- AD FS
- AD DS (Active Directory Domain Services) Win Server 2016 TP schema
- PKI Infrastructure
- Non-Microsoft MDM solution, Config Manager SP2, or Intune
For AD/Azure AS hybrid:
- PKI Infrastructure
- Azure AD Subscription
- Non-Microsoft MDM solution, Config Manager SP2, or Intune
MDM solutions and Configuration Managers help provide the ability to manage your Passport policies and deployment as well as manage Passport-protected certificates.
The Azure AD subscription provides you with the ability to register enterprise devices, as well as to provide the Passport for organizational accounts.
Finally, AD or Active Directory will provide the ability to authorize devices and users using Passport-protected keys if domain controllers run Win10 and the Passport-provisioning service in Win10 AD FS.
Key-Based vs. Certificate-Based?
In the previous section, we defined the software requirements for the roll-out of Microsoft Passport. We defined two sets of scenarios - key-based and certificate-based authentication. But what exactly is the difference?
Win10's Microsoft Passport can use either software or keys (hardware or software) to perform identity authentication. Enterprises with a "PKI" or Public Key Infrastructure for managing (and issuing) certificates can use PKI together with Passport (certificate-based). Enterprises who either want to reduce all the effort that comes with managing certificates or simply do not use PKI may instead rely on key-based Passport credentials.
Hardware-based keys generated by TPMs provide the highest level of security. When a TPM is made, an EK (Endorsement Key) certificate resides in the TPM. This certificate generates a root trust for other keys generated from the same TPM.
The EK certification will be used to generate an AIK (Attestation Identity Key) certificate issued by a certificate authority (Microsoft's). This AIK can then be used as a proof to identity providers (via an attestation claim) that the Passport keys were generated using the same TPM. Microsoft's certificate authority (CA) will generate an AIK certificate for each device, each user, and each IDP to ensure that the privacy of the user is protected.
When AD, Azure AD, and other identity providers enroll a Passport certificate, Win10 will support the same scenarios as that of a smart card. When a key serves as the credential type, only trust operations based on keys will be supported.
What is the Azure active directory?
Another thing we keep on mentioning is the Azure Active Directory, or Azure AD. While this began even before Windows 10 saw the light of day, it is expected to take center stage as Win10 leverages its power for Microsoft Passport.
The Azure AD is a cloud-based, multi-tenant directory as well as an identity management service. It helps IT Admins provide an easy to use and affordable solution to give business partners and employees an "SSO" (single sign-on) environment that allows access to thousands of cloud apps, like DropBox, Office365, Concur, and Salesforce.com. For app developers, it is also important in allowing them to focus on app building with fast and simple integration to an identity management solution.
With its integration to Passport, Azure AD also possesses a complete array of identity management abilities such as multi-factor authentication, self-serviced password management, device registration, privileged account management, self-service group management, app usage monitoring, security monitoring, and a whole lot more. This can help cut costs and streamline processes.
Customers of Azure, Office365, and Dynamics CRM Online are already using Azure AD (mostly without realizing it). In fact, such users are already considered Azure AD tenants.
Implementing Passport in your Organization
To maximize the benefits and security of Windows 10, it is recommended that you try using Passport as a replacement for your regular passwords when supported. Here are the different Policy Settings that you will be looking at when you implement Passport either for yourself or for the organization/enterprise.
Microsoft Passport Enabled
This covers the entire device, and the default value is set to "true" upon setup. This will provision Passport for all the device users. Setting it to False will remove this provision. Note that when passport is enabled and this policy is set to False, then users whose Passports have already been set up can continue using it while losing the ability to set up Passport for other devices.
Hardware TPM Required
This also covers the entire device, and is by default set to "No". When changed to "Yes", Passport will be provisioned only through the use of TPM. If it is set to "No", Passport will be provisioned through software when TPM is not available. However, TPM will still be used if it is available on the device.
Maximum PIN Length
This covers the device or user, and is by default set to 127 characters. This is also the maximum allowable length. This cannot be set to be less than the minimum setting.
Minimum PIN Length
This can cover either the device or the user. By default, it is set to 4 characters, which is the minimum allowable PIN length. The minimum length cannot be set to be longer than the maximum setting.
Uppercase Letters
This also covers the device or user, and is by default set to 1. This means that uppercase letters for PINs are not allowed. When changed to 2, the system will require at least one uppercase letter for all PINs.
Lowercase Letters
This also covers the device or user, and functions in much the same way as uppercase letters. The default (which is 1) will not allow lowercase letters while changing it to 2 will cause Passport to require at least one lowercase letter.
Special Characters
This also covers the device or user, and functions in as much the same way as the two previous policies. The default is also 1, which does not allow any special characters.
Digits
This also covers the device or user. Unlike the previous settings, the default setting is 2, which requires at least one number. Changing this to 1 will disallow numbers. This also means that setting up Passport without changing any of the default policy settings will only let you input at least 4 numbers as your PIN.
Enable Biometrics
This covers the entire device, and is set to "No" by default. This means that only a PIN may be used as a gesture. When changed to Yes, then biometrics can be gathered and used instead of a PIN.
The People side: How Do People in the Organization use Passport?
Thus far, we have been talking about the software and the devices on which they run. How about the people? When you use Passport in an enterprise setting, you will want to prepare the users in the organization so that they will be able to take the most advantage of the security features. Aside from explaining how to use Passport, you must also walk them through the basic steps.
On organization-owned devices, the users must follow a specific step when setting up a new device. At this point, users will be prompted to choose who the device owner is -- they must select "This device belongs to my organization".
The next step is to select a connection. This will depend on your enterprise setup, so you should instruct your people which to select. They will be asked to sign in and verify identity, which can in turn be done through various means -- phone call, authentication app, text message, etc. The PIN is then created after verification. On the "Create a work PIN" screen, Passport will display the complexity requirements previously set (such as minimum length.
After the Passport is set up, they can then unlock the device through the PIN. This will automatically log in the user.
If the users wish to access the enterprise resources through their personal devices, then they can add a school or work account under Settings → Accounts → Work or school. Then, the users will need to sign in using work credentials. Like in enterprise options, they will have to choose the method for receiving the verification code. The user will enter the code, after which a new PIN is confirmed. Any token-based resource will then be available for access on this device without the system prompting for credentials. Remember that this account gesture will not affect the device's unlock PIN.
Work credentials and personal credentials are also kept in separate containers, so users will have no worries about the enterprise having access to personal credentials.
If they want to un-register their accounts in their personal device, they can simply go to Settings → Accounts → Work or School. Select the registered work account, and then click Unjoin to remove the account from this specific device.
What if I want to change my password or credentials?
When Passport is set up, the gesture that is used to log in is specific to that device. This means that you can set up to access the same resources of the same account in different devices. However, when the password for the account changes, then the new password for each device must be provided in order to continue the use of Passport. Changing the password for a specific device will only update the Passport for that device.
If you need to update the Passport after a change to the password (on another device) has been made, follow these steps:
- Try to sign in using the same gesture you had before the change. You will be prompted a message that says Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.
- Click on OK.
- Click on Sign-in options.
- Click on the Password button.
- Sign in using the new password.
- After confirming this, try signing in again. Select Sign-in options, and then select the PIN option to resume using the gesture.
Again, this is device specific -- if you have five different devices signing in to the same enterprise account (regardless if they use different gestures), you will need to make this change five times as well.